The French Data Protection Authority (CNIL) has published a draft guide on Transfer Impact Assessment (TIA). The draft guide outlines the procedures and considerations for conducting a TIA. This draft serves as a guideline for organisations that transfer personal data outside of the European Economic Area (EEA) and therefore must assess the level of data protection in the countries of destination.
Background
Under the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR), personal data transferred outside of the EEA (for example to a cloud service provider or when shared with a parent company or subsidiary) must receive the same protection as within the EEA. This is the case when personal data is transferred to countries with adequacy decisions (for example to Israel). In the absence of adequacy, data exporters (acting as controllers or processors) must adopt measures like Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCCs) to compensate for deficiencies in the data protection laws of the third country (to which the personal data is being transferred).
In its “Schrems II” ruling from July 2020, the Court of Justice of the European Union (CJEU) emphasized that both data exporters and data importers are responsible to guarantee that personal data, when transferred outside of the EEA, is granted the same level of protection as set by the GDPR.
Requirement for Transfer Impact Assessment
Consequently, data exporters must verify whether the third-country legislation is essentially equivalent to EU protection levels, and implement additional measures where needed. If the transfer relies on a transfer tool under Art. 46 GDPR (as BCRs or SCCs), a TIA is required, conducted by the data exporter and importer together. Until now, organizations have mainly relied on the recommendations of the European Data Protection Board (EDPB) on additional measures supplementing the transfer instruments, published in June 2021, to carry out their TIAs.
In this context, the CNIL decided to draft a practical guide to “help data exporters carry out their TIAs.” The CNIL has released a draft of this guide for public consultation until February 12, 2024, with the final version expected to be published later in 2024.
The CNIL Guidelines
The CNIL guide constitutes a methodology which identifies the various elements to be considered when carrying out a TIA. The CNIL points out that the use of this guide is not obligatory; other elements can be considered, and other methodologies can be applied.
The guide provides a TIA template based on the six steps recommended by the EDPB for carrying out a TIA, which are as follows:
- Know your transfer;
- Document the transfer tool used;
- Evaluate the legislation and practices in the country of destination of the personal data and the effectiveness of the transfer tool;
- Identify and adopt supplementary measures
- Implement the supplementary measures and the necessary procedural steps;
- Re-evaluate at appropriate interval the level of data protection and monitor potential developments that may affect it.
It is worth noting that the CNIL specifies that in the case of onward transfers, a separate TIA should be carried out for each type of onward transfer.
Compared to the EDBP’s recommendations, the CNIL also increases the responsibilities of the data importer. The CNIL finds the data importer’s cooperation “essential for the TIA to be carried out” and goes on to state that if the data importer is a data processor, its cooperation obligation is part of the obligations under Art. 28 of the GDPR. Essentially, while the main burden of conducting the TIA is on the data exporter, in the CNIL’s opinion the data importer has significant information obligations.
Differences to the ICO’s Transfer Risk Assessment
The CNIL’s guideline follows the EDPB’s recommendations and as such differs from the United Kingdom’s Information Commissioner’s (ICO) transfer risk assessment tool, which may be used for transfers of personal data outside of the UK. The purpose of such transfer risk assessment (TRA) is to asses if a transfer increases privacy and rights risks compared to keeping data in the UK. If no significant extra risk is found, the transfer is permitted. The ICO’s TRA tool offers a more risk-based (and possibly more business-friendly) approach compared to the EDBP. The TRA tool focuses mainly on general human rights risks in the destination country, which include (i) risks associated with third-party access to data, especially by government and public bodies, and (ii) risks stemming from challenges in enforcing the Article 46 transfer mechanism.
For more information related to the transfer of personal data and on any other matters relating to privacy and data protection laws, please reach out to us at ERM.
Our partner, Adv. Rotem Perelman-Farhi, head of the Technology, IP and Data Protection Department and Adv. Einat Goldstein, LL.M, associate in the Department, share the essential information.
* This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.